From: Nikita Popov <nikic@php.net>
Date: Sun, 4 Jan 2015 16:57:23 +0000 (+0100)
Subject: Fix use after free for variables with integer names
X-Git-Tag: PRE_PHP7_REMOVALS~33^2~1
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=69a4b135f32108969f1a947a8bfdba3fcee967bb;p=php

Fix use after free for variables with integer names
---

diff --git a/Zend/tests/variable_with_integer_name.phpt b/Zend/tests/variable_with_integer_name.phpt
new file mode 100644
index 0000000000..c31d46941b
--- /dev/null
+++ b/Zend/tests/variable_with_integer_name.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Variable with integer name
+--FILE--
+<?php
+
+${10} = 42;
+var_dump(${10});
+
+?>
+--EXPECT--
+int(42)
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index 7f525ae5fc..334d733f29 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -1950,6 +1950,9 @@ static int zend_try_compile_cv(znode *result, zend_ast *ast) /* {{{ */
 		result->op_type = IS_CV;
 		result->u.op.var = lookup_cv(CG(active_op_array), name);
 
+		/* lookup_cv may be using another zend_string instance  */
+		name = CG(active_op_array)->vars[EX_VAR_TO_NUM(result->u.op.var)];
+
 		if (zend_string_equals_literal(name, "this")) {
 			CG(active_op_array)->this_var = result->u.op.var;
 		}